There are essentially only five paths an attacker can take while performing a cyberattack on a target. Before we delve into those five paths, we need to first cover some basics around the MITRE ATT&CK framework as we’ll be referencing it throughout this article. The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a knowledge base that describes the actions and behaviors of cyber-attackers across various stages of the cyberattack lifecycle. ATT&CK is developed and maintained by MITRE Corporation, a non-profit organization that operates Federally Funded Research and Development Centers (FFRDCs) in the United States.

The ATT&CK framework is composed of various matrices, each of which represents a different environment such as Mobile, ICS, and Enterprise. These are further broken down into TTPs (tactics, techniques, and procedures). As defined by the National Institute of Standards and Technology, TTPs are:

  • Tactics: the highest-level description of threat actor behavior. 
  • Techniques: a more detailed description of the behavior in the context of a tactic.
  • Procedures: a lower-level, highly detailed description of the behavior in the context of a technique.